Using NAT with L2TP over IPSec

I recently installed PPTP on my company's Windows 2000 Server machine so that other users and I can reach the server from home. However, I now have an open Windows logon. Anyone with an Internet connection and a computer running Win2K, Windows NT, Windows Me, or Windows 98 can log on to the server if they know its IP address and can deduce a username and correlating password.

To reduce the risk, I renamed the Administrator username to something more difficult to figure out, and I removed the Guest username. Only users with password access can dial in using a RAS connection. I've placed the server behind a Cisco Systems' Cisco 677 ADSL router running Network Address Translation (NAT) and Port Address Translation (PAT), and I've configured the router to forward TCP port 1723 packets and IP Type 47 Generic Routing Encapsulation (GRE) packets from the WAN IP address to the internal IP address (i.e., the server's IP address). How safe is my open PPTP logon, and what else can I do to improve security?

When I received this question, I contacted the reader and suggested that he could use Layer 2 Tunneling Protocol (L2TP)—or in Win2K, L2TP over IP Security (IPSec)—to improve security. The reader responded that L2TP and NAT are incompatible—which isn't true. Granted, the router the reader uses can't support both L2TP over IPSec and NAT (in which case the only way the reader can improve security is to use a router that does support both L2TP over IPSec and NAT). However, the reader led me to believe that his misconception was based on more than his router's limitations.

I checked the Microsoft Windows 2000 Server Resource Kit and discovered that Chapter 9, "Virtual Private Networking," states that "L2TP over IPSec is not translatable by NAT because the UDP port number is encrypted, and its value is protected with a cryptographic checksum." The resource kit also states that "In L2TP over IPSec packets, UDP and TCP headers contain a checksum that includes the source and destination IP address of the plaintext IP header. The addresses in the plaintext IP header cannot be changed without invalidating the checksum in the TCP and UDP headers." These words are strong, so I don't wonder that the reader presumed that L2TP over IPSec is incompatible with NAT.

Contrary to the resource kit's information, many organizations can and do run L2TP over IPSec and NAT at the same time. Cisco has used IP Encapsulating Security Payload (ESP) to incorporate NAT and IPSec, and any concentrator or Cisco PIX router that runs a recent version of Cisco's Internetworking Operating System (IOS) can support both protocols. (I'm certain that other companies support IPSec and NAT, but in this case I'm familiar only with Cisco's solutions.) The Internet Engineering Task Force (IETF) Request for Comments (RFC) 2406 discusses the IP ESP protocol, and the Cisco articles "NAT Transparent Mode for IPSec" (http://www.cisco.com/warp/public/471/nat_trans.html) and "Reference Guide: Deploying IPSec" (http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/dplip_in.htm) discuss Cisco's NAT and IPSec integration process. (For more information about IPSec and Win2K, see Tao Zhou, "IP Security in Windows 2000," http://www.win2000mag.com, InstantDoc ID 7976.)